By GoldSparrow in Trojans

The Beendoor malware is classified as a Remote Access Trojan (RAT) that was registered by computer security researchers in February 2016. The Beendoor RAT is developed by an Advanced Persistent Threat (APT) group based in Pakistan. The APT group behind Beendoor was active in 2016 and then stopped appearing on radars. The Beendoor RAT was used as one of many tools in a subdued phishing campaign aimed at Indian diplomatic envoys and military facilities. India and Pakistan have been in a dynamic political and military conflict for decades, and cyber weapons like the Beendoor Trojan are utilized widely by both countries.

The Beendoor malware is distributed via phishing emails that often refer to articles, video feeds and audio records related to military, political and economic topics in India. The phishing emails are sent to top-level figures in the Indian government and include weaponized Microsoft Word documents, hyperlinked text leading users to corrupted Web pages and fake Microsoft Excel documents. The APT group is known to exploit the CVE-2012-0158 vulnerability (also known as the 'MSCOMCTL.OCX RCE Vulnerability") in their campaigns. The CVE-2012-0158 vulnerability affects Microsoft Office 2003-2007-2010, SQL Server 2000-2005-2008, BizTalk Server 2002, Commerce Server 2002-2007-2009, Visual Basic 6.0. The exploit allows attackers to run arbitrary code, create office documents and load Web resources. Typically, users are redirected to a compromised site, which downloads a corrupted tool on the visitor's PC automatically.

The Beendoor Trojan supports basic features you might expect from a tool in the RAT class. The Beendoor RAT allows threat actors to download files to infected hosts, pull data from the compromised computers and take screenshots of the desktop. The Beendoor Trojan is packed as an XMPP library that is loaded by a scheduled task after Windows boots up. The Beendoor RAT may run under names like 'wmplayer.exe,' 'wmplayer.exe, 'svchost.exe,' 'word.exe,' and 'winupdate.exe' on the infected devices. The Beendoor Trojan is very small in size — just 40 KB (40960 bytes) and users are not likely to detect its presence without using a reputable anti-malware service. Detection names for Beendoor are listed below:

Spyware ( 004e1d811 )

Related Posts


Most Viewed